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(57) Abstract 

A generic communications 
network (100) provides an 
encrypted communications 
interface between service networks 
(130, 132, 134) and their 
subscribers. When conununications 
are initiated between a subscribing 
conununicatiwis terminal (118) 
and the generic network (ICK)), 
the terminal (118) compares a 
stored network identifier associated 
with a stored public key, with 
a unique identifier broadcast by 
the generic network (100). If a 
match is found, the terminal (118) 
generates a random secret key, 
encrypts the secret key with the 
stored public key, and transmits 
tht encrypted secret key. The 
generic communications network 
(100) decrypts the secret key using 
a private key associated witii the 
public key. The secret key is used 
tiiereafter by the terminal (118) 
and the generic network (1(X)) to 
encrypt and decrypt die ensuing 
radio traffic. Consequently, the 
network (100) can maintain secure 
communications with the terminal 
(118) without ever knowing the terminates identity. 
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METHOD AND APPARATUS FOR ENCRYPTING RADIO TRAFFIC 
IN A TELECOMMUNICATIONS NETWORK 

BACKGROUND OF THE INVENTION 
5 Technical Field of the Invention 

The present invention relates generally to the field of wireless radio 
conununications and, in particular, to a method and apparatus for encrypting radio 
traffic between terminals and a mobile communications network. 
Description of Related Art 

10 The need for increased mobility and versatility in telecommunications 

networks requires the networks to cover larger geographical areas and provide a 
broader range of telecommunications services to subscribers. These 
telecommunications services include teleservices and bearer services. A teleservice 
provides the necessary hardware and software for a subscriber to communicate with 

15 another subscriber (e.g., terminal, etc.). A bearer service provides the capacity 
required to transmit appropriate signals between two access points (e.g., ports) that 
provide an interface with a network. Telecommunications services can be provided 
to subscribers by a number of service networks, such as, for example, public land 
mobile teleconmiunications networks (PLMNs), public switched telephone networks 

20 (PSTNs), integrated services digital networks (ISDNs), the so-called "Internet" 
access networks, video on demand (VOD) networks, and other proprietary service 
networks. 

In response to the need for increased mobility and versatility, a new mobile 
radio telecommunications network is being developed, which has a generic interface 

25 through which a service network subscriber can be connected with that service 
network regardless of the subscriber's geographic location. This generic mobile 
radio network is referred to as the "Generic Access Network" (GAN). In order to 
more readily understand the present invention, which deals primarily with 
encrypting communications traffic between terminals and a GAN, a brief description 

30 of such a GAN is provided below with respect to FIGURE 1. 
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FIGURE 1 is a perspective view of an exemplary GAN connected to a 
plurality of service networks and service network subscribers. The GAN (10) 
illustrated by HGURE 1 includes an access network interconnected with a transport 
network. The access network includes a plurality of base stations (e.g.. BSl and 
BS2). Each base station includes a radio transmitter and receiver that provides 
communications coverage for a respective geographical area (e.g., a so-called cell, 
CI and C2). The base stations are connected to a radio network controller (RNC) 
12. Although not shown explicitly, certain of the base stations can be connected to 
RNC 12 (e.g. , BSl and BS2), and certain other of the base stations can be connected 
to one or more other RNCs. A plurality of the RNCs can be interconnected to 
provide a communications path therebetween. The RNCs distribute signals to and 
from the connected base stations. 

A plurality of service networks (e.g.. VOD network. PLMN. PSTN. 
Internet) are connected through respective access input ports (14, 16, 18, 20, 22, 24 
15 and 26) to the access network of GAN 10. Each service network uses its own 
standard signaling protocol to communicate between its internal signaling nodes. 
For example, the Global System for Mobile communications (GSM), which is a 
digital cellular PLMN that has been fielded throughout Europe, uses the Multiple 
Application Part (MAP) signaling protocol. As illustrated by HGURE 1 , the RNCs 
20 in the access network are connected through at least one of the access input ports to 
a service network. As shown, RNC 12 is connected through access ports 20 and 24, 
respectively, to the PLMN and PSTN service networks. 

Mobile terminals 28 and 30 are located within the radio coverage area of 
GAN 10. and can establish a connection with each of the base stations (e.g.. BS2) 
in the access network. These mobile tenninals can be, for example, a cellular 
phone, mobile radiotelephone, personal computer (notebook, laptop, etc.) possibly 
connected to a digital cellular phone, or mobile television receiver (for VOD). 
Signal transport between a mobile terminal and a selected service network takes 
place over specified signal carriers. For example, signals are transported between 
30 the cellular phone (28) and the PLMN service network over signal carriers SCI and 
SC2. 



25 
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The mobile terminals (e.g., 28 and 30) include an access section and service 
network section. The access section of a mobile terminal is a logical part of the 
access network and handles the signaling required to establish the signal carrier 
(e.g., SC2 and SC4) between the mobile terminals and RNC 12. The service 
5 network section of a mobile terminal is a logical part of the service network to 
which that terminal's user subscribes. The service network section of a mobile 
terminal receives and transmits signals, in accordance with the specified standards 
of its related service network, via the established signal carriers SCI and SC2 (or 
SC4). The radio interface portion of the signal carrier SC2 or SC4 (between the 
10 mobile terminal and base station) can be time division multiple access (TDM A), 
code division multiple access (CDMA), or any other type of multiple access 
interface. 

The service network subscribers can access their respective service network 
through the GAN. The GAN provides a signal carrier interface that allows a 

15 message to be transported transparently over a signal carrier (e.g., SCI and SC2) 
between the service network part of a mobile terminal and its service network. The 
GAN accomplishes this function by matching the characteristics of the signaling 
connections and traffic connections of all of the service networks that cormect to it. 
Consequently, the GAN can extend the coverage of existing service networks and 

20 also increase the subscribers' degree of mobility. 

A unique characteristic of a GAN is that it has no subscribers of its own. 
The mobile users of the GAN are permanent subscribers to their own service 
networks, but they are only temporary users of the GAN. Consequently, a GAN 
does not know (or need to know) the identity of these users. However, a problem 

25 arises in attempting to encrypt radio traffic between the mobile terminals and the 
GAN. 

Radio traffic (e.g., speech information or data) between mobile terminals and 
base stations is typically encrypted to ensure that the information being passed 
remains confidential. Although some service networks (e.g., GSM) encrypt traffic, 
30 most other service networks do not. Consequently, a GAN should be capable of 
encrypting traffic for those service networks that do not have that capability. 
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However, since a GAN does not know the identity of its users (the service network 
subscribers), it must be capable of enciypting radio traffic using encryption keys that 
are created without knowing a subscribing terminal's identity or authenticity. 
Unfortunately, most existing mobile communications networks use encryption 
techniques that generate encryption keys by using authentication parameters. In 
other words, to encrypt radio traffic in a conventional mobile communications 
network, the user terminal's identity must be known. 

SUMMARY OF THE INVENTION 

It is an object of the present invention to encrypt communications between 
a mobile terminal and a communications network without requiring the network to 
know the identity of the terminal. 

It is also an object of the present invention to encrypt communications 
between a plurality of mobile terminals and a communications network without 
requiring the network to maintain individual encryption keys for each of the 
terminals. 

It is another object of the present invention to encrypt communications 
between a mobile terminal and a conmiunications network without requiring the 
terminal to permanently store a secret encryption key. 

It is yet another object of the present invention to minimize call setup time, 
minimize transmission delays, and maximize data throughput, while encrypting 
conununications between a mobile terminal and a communications network. 

In accordance with one aspect of the present invention, a method is provided 
for encrypting connununications between a communications network and a 
communications terminal, by storing a public key associated with the network at the 
terminal, generating a secret key at the terminal, encrypting the secret key with the 
stored public key at the terminal, transmitting the encrypted secret key from the 
terminal, receiving the encrypted secret key at the network, decrypting the received 
encrypted secret key with a private key, where the private key is associated with the 
public key, and encrypting the ensuing traffic with the secret key. If a public key 
has not been stored at the terminal, then the terminal transmits a request to the 
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network for a public key. As such, the network is not required to know the identity 
of the terminal in order to maintain encrypted communications with the terminal. 

In accordance with another aspect of the present invention, the foregoing and 
other objects are achieved by a method and an apparatus for encrypting traffic 
5 between a communications network and a conununications terminal by broadcasting 
a (asymmetric) public key from the network. The public key is received by the 
terminal. The network maintains a private key that can be used to decrypt 
information encrypted with the public key. The terminal generates and stores a 
naturally occurring random number as a secret session (symmetric) key, encrypts the 
10 symmetric session key with the public key, and transmits the encrypted session key 
to the network. The network decrypts the session key with the private key, and both 
the network and terminal encrypt the ensuing communications with the secret session 
key. Again, the communications network is not required to know the identity of the 
terminal in order to maintain encrypted communications with the terminal. 

15 

BRIEF DESCRIPTION OF THE DRAWINGS 

A more complete understanding of the method and apparatus of the present 
invention may be had by reference to the following detailed description when taken 
in conjunction with the accompanying drawings wherein: 
20 FIGURE 1 is a perspective view of an exemplary generic access network 

connected to a plurality of service networks and service network subscribers; 

FIGURE 2 is a top level schematic block diagram of a generic access 
network in which a method of encrypting radio traffic between service networks and 
service network subscribers can be implemented, in accordance with a preferred 
25 embodiment of the present invention; 

FIGURE 3 is a schematic block diagram of the access network illustrated in 
FIGURE 2; 

FIGURE 4 is a sequence diagram that illustrates a method that can be used 
to encrypt radio communications between a generic access network and a terminal, 
30 in accordance with a preferred embodiment of the present invention; and 
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FIGURE 5 is a block diagram of a method that can be used to certify the 
authenticity of a public key and the owner of the key with a digital signature, in 
accordance with a preferred embodiment of the present invention. 

DETAILED DESCRIPTION OF THE DRAWINGS 

The preferred embodiment of the present invention and its advantages are 
best understood by referring to FIGURES 1-5 of the drawings, like numerals being 
used for like and corresponding parts of the various drawings. 

Essentially, in accordance with a preferred embodiment of the present 
invention, a mobile terminal stores at least one public key. along with a unique 
identification character of at least one GAN associated with that public key. in a 
memory location, A GAN continuously broadcasts its unique identification 
character in all cells connected to that GAN. When contact is initiated between the 
terminal and that GAN, die terminal compares die received identifier with the stored 
identifier(s), and if a match can be made, the terminal generates a random secret 
key, encrypts the secret key with the public key associated with that GAN's 
identifier, and transmits die encrypted secret key. The GAN decrypts the secret key 
using a private key associated with the public key. The secret key is used thereafter 
by the terminal and the GAN to encrypt and decrypt the ensuing radio traffic. 
Notably, the GAN can maintain secure conununications with the terminal without 
ever knowing the terminal's identity. Furthermore, since the GAN does not need 
to know the identity of such a terminal, the GAN is not required to maintain a 
database of individual terminal encryption keys. Additionally, the terminal is not 
required to store its own secret key. because it can generate a new secret key for 
each communications session. 

FIGURE 2 is a top level schematic block diagram of a generic access 
network in which a method of encrypting radio traffic between service networks and 
service network subscribers can be implemented, in accordance with a preferred 
embodiment of the present invention. A GAN 100 is shown, which includes a 
transport network 102 interconnected with an access network 104. A plurality of 
service networks (e.g., PLMN, ISDN, PSTN, INTERNET, VOD) are connected 
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through respective access ports (e.g., 106, 108, 110, 112, 114) to transport network 
102 and access network 104. Access network 104 includes a plurality of RNCs and 
associated base stations (e.g., RNC(l)-RNCCN)). The plurality of RNCs and 
associated base stations are connected by a respective radio interface to a plurality 
5 of mobile transceivers (terminals) 116, 118, 120 and 122. A user of each mobile 
terminal is a subscriber to at least one of the service networks PLMN, etc. The 
mobile terminals can communicate with their respective service networks in the 
manner described above with respect to FIGURE 1 . More specifically, the RNCs 
control communications between the terminals and their respective service networks. 

10 Notably, although a plurality of mobile terminals (1 16, etc.) are shown in FIGURE 
2, this is for illustrative purposes only. One or more fixed radio terminals may also 
be connected to GAN 100 and are thus capable of communicating with at least one 
of the service networks. 

FIGURE 3 is a schematic block diagram of access network 104 illustrated 

15 in FIGURE 2. Access network 104 includes a plurality of RNCs (e.g., RNC(l)- 
RNC(N)). However, although a plurality of RNCs is shown for this embodiment, 
the present invention can be implemented with only one RNC. At least one service 
network (e.g., 130, 132, 134) is connected through at least one respective access 
port (e.g., API, AP(N-l), AP(N)) to at least one RNC. At least one base station 

20 (e.g., BS(1), BS(N)) is connected to a respective RNC (e.g., RNC(l), RNC(N)). 
Although a plurality of base stations is shown, the present invention can be 
implemented with only one base station. 

A mobile terminal (e.g., cellular phone 118) is connected by a radio interface 
to base station BS(1). It should be readily understood that one terminal (118) is 

25 shown for illustrative purposes only and that one or more additional terminals could 
be shown. The RNCs (e.g.. RNC(1)-RNC(N)) are interconnected by 
communications lines (136, 138) for communications therebetween. Consequently, 
terminal 118 can establish communications with any of the service networks (e.g., 
130, 132, 134) through access network 104 and GAN 100 (FIGURE 2). Notably, 

30 the coverage provided for each service network can be enlarged by switching to a 
different access port of access network 104. In other words, terminal 118 can 
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communicate with service network 132 through RNC(l), interconnecting line 136, 
and RNC(N-l). Alternatively, if service network 132 is switched to access port 
AP(1), terminal 118 can communicate with service network 132 through RNC(l). 
FIGURE 4 is a sequence diagram that illustrates a method that can be used 
5 to encrypt radio communications between a generic access network and a terminal, 
in accordance with a preferred embodiment of the present invention. The method 
200 of encrypting communications can begin at the GAN or the terminal. For 
example, in this embodiment, at step 204. the GAN (e.g.. 10) continuously 
broadcasts a unique identification character in all cells connected to that GAN. The 
1 0 terminal (e.g. . 118) contains a non-volatiJe memory located in a GAN section of the 
terminal. The teiminal stores at least one public key in the non-volatile memory. 
Along with each public key. the teiminal also stores a respective expiration date for 
the key. and a GAN identification character that identifies a specific GAN associated 
with that key. In other words, each public key stored in the terminal's memory is 
thereby associated with a specific GAN. The terminal initiates contact by registering 
with a GAN (but not necessarily setting up a call). A processor in the terminal 
compares the received GAN identifier with the stored identifiers, and if a match can 
be made (and the key has not expired), the processor retrieves the stored public key 
associated with the identified GAN. However, in the event that no such match is 
20 found, the terminal sends a request for the GAN to transmit a public key. The 
transmitted public key (and its expiration date) is stored in the terminal and can be 
used to encrypt a secret key in the current and ensuing communication sessions. 

At step 206, the terminal generates a (synunetric) secret key (described in 
detaU below). At step 208, the terminal uses the retrieved public key to encrypt the 
secret key. At step 210, the terminal transmits the encrypted secret key to the 
identified GAN. At step 212, the GAN decrypts the secret key, which, at step 214. 
is used by the GAN and the terminal for encrypting traffic during the ensuing 
communications session (described in detail below). 

Alternatively, at the end of a session with a GAN. the terminal stores the 
public key used for that session. When the terminal or a GAN begins a new 
communications session, the terminal retrieves the public key stored from the last 



25 



30 
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session with a GAN, and uses that public key to encrypt a secret key to be used for 
the ensuing session. If the use of that stored public key is unsuccessful, the terminal 
then sends a request to the GAN for a new public key. This technique 
advantageously increases network throughput, because a network channel is not tied 
5 up transmitting a public key. However, if a public key has not been stored from a 
past session with a particular GAN, the terminal can still receive the public key by 
requesting it from the GAN and using it to encrypt a secret key that will be used for 
the ensuing session. In any event, by storing the relatively large (bit-wise) public 
keys in the terminal, as opposed to transmitting them from the GAN, radio 

10 transmission delays can be reduced significantly, a substantial amount of network 
transmission time can be saved, and data throughput will be increased. 

FIGURE 4 also illustrates a method that can be used to encrypt radio 
communications between a generic access network and a mobile terminal, in 
accordance with another embodiment of the present invention. For example, when 

1 5 communications are desired between a service network and a terminal (e.g. , PLMN 
and terminal 118), the service network or terminal can initiate communications with 
a call setup message. At step 202, as the initial connection between the GAN and 
the terminal is established, the service network can request that the ensuing traffic 
will be encrypted. If so, at step 204, still during the initial call semp process, the 

20 terminal receives a public key which is continuously broadcast from one or more 
base stations (e.g., BS(1)-BS(N)). 

In this embodiment, all of the RNCs maintain at least one public key /private 
key pair (the same pair in every RNC) in a memory storage location. The public 
key that was broadcast by the GAN is received by the terminal (118) that has 

25 initiated contact with that GAN. Preferably, both the call setup procedure and the 
procedure to transfer the public key is performed by an RNC, which is connected 
through an access port to the service network of interest (e.g., RNC(l) to AP(1) to 
PLMN 130). Alternatively, a base station (e.g., BSl) can be configured to maintain 
public/private key pairs and broadcast or otherwise transfer a public key to a 

30 terminal. 
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The RNC can broadcast the public key in all cells in the RNC's coverage 
area. ConsequenUy. since the GAN broadcasts the public key instead of having the 
terminal request the key from the GAN, the teiroinal can register with the GAN 
much faster, and a call can be set up in a substantially shoner period of time. 
Alternatively, instead of broadcasting the public key in a plurality of cells, the RNC 
can transfer the public key directly through the base station that has established 
contact with the terminal. However, the method of broadcasting the public key in 
a plurality of cells before call setup advantageously decreases the load on the GAN's 
dedicated traffic charmels. 

For all embodiments, as long as the terminal is registered with the GAN, the 
same public key can be used for all subsequent communications with that GAN. 
because the same key is stored at the GAN and also at the terminal. Alternatively, 
the public key can be changed periodically in accordance with a predetermined 
scheme or algorithm, or even at the whim of the GAN operator. If an operator 
desires to change public keys periodically, storing each public key's expiration date 
at the terminal facilitates their use in that regard. Furtheimore. in the preferred 
embodiment, when the public key is changed, it can be broadcast by the GAN for 
a predetermined period of time, to minimize the number of terminal requests for a 
new public key. 

As described earlier, at step 202, the GAN can maintain one or more 
asymmetric public key/private key pairs. In that event, a so-called "RSA Algorithm- 
can be used to create the public key/private key pairs. The RSA Algorithm 
combines the difficulty of factoring a prime number with the ease of generating 
large prime numbers (using a probabilistic algorithm) to split an encryption key into 
25 a public part and a private part. 

Specifically, assuming that the letters P and Q represent prime numbers, the 
letter M represents an unenciypted message, and the letter C represents the 
encrypted form of M, the RSA Algorithm can be expressed as follows: 

mod PQ = > C (encrypted message M) (l) 
mod PQ = > M (decrypted message C) (2) 



20 
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where the term (DE-l) is a multiple of (P-1)(Q-1). In this embodiment, the 
exponent E is set to 3. The private and public keys are each composed of two 
numbers. For example, the numbers represented by (PQ, D) make up the private 
key, and the numbers represented by (PQ, E) make up the public key. Since the 
5 same value for E is used consistently, only the PQ portion of the number need be 
sent on request or broadcast and used for the public key (e.g., at step 204). By 
knowing the private key, any message encrypted with the public key can be 
decrypted. 

Returning to FIGURE 4, at step 206, the terminal (118) receives and/or 

10 stores the asymmetric public key. The terminal generates a random synunetric 
secret key. The random secret key, which is used to encrypt communications 
preferably for the complete session, can be generated in at least one of four ways. 
Using one method, the terminal takes several samples from measurements of the 
strength of the received signal, concatenates the lower order bits of the several 

15 samples, and processes the result to produce a random number. Since the lower 
order bits of the received signal are well within the noise level of the received 
signal, a naturally occurring, truly random number is generated. A second random 
number generating method is to use the random noise signal created at the input of 
an A/D converter connected to a microphone. Again, using this method, a naturally 

20 occurring, truly random number can be generated for the secret key. A third 
random number generating method is for the terminal to take samples from phase 
measurements of the received signal, concatenate the lower order bits of the 
samples, and process the result to produce a random number. A fourth random 
number generating method is for the terminal to take samples from the encoding 

25 section of the speech codec, concatenate the lower order bits of the samples, and 
process the result to produce the random number. 

Alternatively, a random number generated at the terminal can be used as a 
seed for a pseudorandom number generator. The seed is encrypted with the public 
key from the CAN, and transmitted to the GAN. The seed is used simultaneously 

30 in the GAN and the terminal to produce a pseudorandom number. The 
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pseudorandom number thus generated can be used by the GAN and the terminal as 
the secret key for the ensuing conununications session. 

The session key can be changed periodically to a different number in the 
pseudorandom number sequence. For example, the session key can be changed for 
a number of reasons, such as after a predetermined amount of data has been 
encrypted, or after traffic has been encrypted for a predetermined amount of time. 
The terminal or the GAN can initiate a change of the secret key, or the key can be 
changed according to a predetennined scheme or algorithm. For example, a request 
to change the secret session key can be implemented by transmitting a "session key 
change request" message, or by setting a "session key change request" bit in the 
header of a transmitted message. 

Additionally, shorter session keys can be generated and less complicated 
encryption algorithms can be used with the pseudorandom number generation 
method described above. Consequently, a substantial amount of processing power 
can be saved in the GAN and especially in the terminal. The terminal can be 
configured to select the length of the session key to be used, in order to address 
trade offs between security and computational requirements. For example, the 
terminal's processor can select the length of a secret session key by generating a 
session key at that length, or by specifying the number of bits to be used from the 
output of the pseudorandom number generator. Alternatively, the terminal can 
specify the range of the output of the pseudorandom number generator to set a 
predetennined length. 

Other alternative methods may be used to generate a pseudorandom number 
for a secret session key. For example, using a "Lagged Fibonacci" type of 
pseudorandom number generator, the n"^ number in the pseudorandom number 
sequence, N^, can be calculated as follows: 

N.=(N„.,-N,,) mod M (3) 
where k and 1 are the so-called lags, and M defines the range of the pseudorandom 
numbers to be generated. For optimum results, the largest lag should be between 
1000 and 10000. If a relatively long key is desired, a plurality of the pseudorandom 
numbers produced by equation 3 can be concatenated to produce a longer key. If 
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the pseudorandom numbers produced by equation 3 are to be floating point numbers 
between 0 and 1, M can be set to 1. The bit patterns of such floating point 
pseudorandom numbers can be used as symmetric encryption keys. 

Another pseudorandom number generator that can be used to create a secret 
5 session key is based on an algorithm that produces pseudorandom numbers 
uniformly distributed between 0 and 1 . Specifically, the seeds Xq, Yq and of the 
pseudorandom numbers are initially set to integer values between 1 and 30000. 
The pseudorandom numbers N„ are then calculated as follows: 

X„=171*(X„.imod 177H2*X„V177) (4) 

10 Y„=172*(Y„.i mod 176)-(35*Y„V176) (5) 

Z„= 170*(Z,i mod 178H63*Z„.,/178) (6) 
If any of the values of X„, Y„ or Z„ are less than zero, respectively, then X„ is set 
equal to X„+30269, Y„ is set equal to Y„-f30307, or Z„ is set equal to Z„+30323. 
The pseudorandom numbers N„ are then equal to ((X„/30269 + Y„/30307 + 

15 Z„/30323) amod 1). where X„, Y„ and Z„ are floating point numbers, and "amod" 
means that these numbers can be fractions. The floating point numbers generated 
with this algorithm form bit patterns that are suitable for use as symmetric 
encryption keys. The length of such keys can be extended by concatenating a 
plurality of the pseudorandom numbers generated. 

20 Returning to the method illustrated by FIGURE 4, at step 208, preferably 

using the above-described RSA Algorithm, the terminal encrypts the secret 
synunetric key with the public key. For example, assume that the secret symmetric 
key generated at the terminal is represented by the letters SK. Using equation 1 of 
the RSA Algorithm, the secret key is encrypted as follows: 

25 mod PQ = > C 

where (PQ, E) represents the public key, M is equal to SK, and C is the encrypted 
version of SK, The exponent E is set to 3. 

In the preferred embodiment, the terminal places the encrypted secret key 
into a message format, which includes a header and message field. The header 

30 provides control information associated with the encrypted secret key that follows 
in the message field. A bit in the header can be set to indicate that the message field 



wo 98/10561 



PCT/SE97/01407 



-14- 

that follows the header is encrypted. In other words, only the secret key field of the 
message is encrypted. The header of the message is transmitted in the clear. 
Consequently, a substantial amount of network processing time can be saved at the 
RNC, since the header indicates whether the subsequent message field is encrypted, 
and if so, only that portion of the message is to be decrypted. 

At step 210, the terminal (118) transmits the encrypted secret key (C) to the 
CAN via the contacted base station (e.g., BS(1)). In the preferr«l embodiment, this 
secret key is used for the ensuing communications. Alternatively, at any time 
during the ensuing communications session, the terminal can generate a new secret 
key, encrypt it with the public key, and transmit the new encrypted secret key to the 
GAN. The security of the session is thereby increased, because by reducing the 
amount of time that a particular secret key is used for a session, the likelihood that 
the secret key will be broken by an unauthorized user is also reduced. 

At step 212. the RNC (e.g.. RNC(l)) receives the encrypted secret key (C) 
from the base station, and decrypts die secret key using the private key part of the 
RSA AlgoriUmi. For example, using equation 2 (above) of the RSA Algorithm, the 
received encrypted secret key (C) is decrypted as follows: 

C mod PQ = > M 
where (PQ. D) r<5presents the private key. and M is equal to SK (secret key). 

At step 214, the ensuing radio traffic between the RNC and the terminal is 
encrypted and decrypted with the secret key, which is now known to both the RNC 
and the terminal. A known symmetric encryption algorithm can be used to encrypt 
and decrypt the ensuing radio traffic with the secret key. such as, for example, a 
one, two or three pass Data Encryption Standard (DES) algorithm, or a Fast 
Encipherment Algorithm (FEAL). 

As yet another encryption alternative, instead of using the RSA Algorithm 
to create a public/private key pair, a so<alled Diffie-Hellman "exponential key 
exchange" algorithm can be used to let the terminal and the GAN agree on a secret 
session key. In using diis encryption scheme, two numbers (a, q) are stored at the 
GAN. At die beginning of a communications session, the RNC transmits the two 
numbers directly (or broadcasts the numbers) to the terminal. The numbers a and 
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q are required to meet the following criteria: q is a large prime number that defines 
the finite (Galios) field GF(q) = 1, 2.... q-1; and a is a fixed primitive element of 
GF(q). In other words, the exponents (x) of (a' mod q) produce all of the elements 
1,2..., q-1 of GF(q). In order to generate an agreed to secret session key, the two 

5 numbers (a, q) are transmitted directly (or broadcast) ft-om the GAN to the terminal. 
Alternatively, the two numbers can be already resident in the terminal's non-volatile 
memory. The terminal (118) generates the random number Xt(1 <XT<q-l), and 
computes the value of YT=a\ mod q. The GAN (e.g., the RNC or base station) 
generates the random number Xg(1 <XG<q-l), and computes the value of Yc=a''c 

1 0 mod q. The random numbers can be generated at the terminal using the methods 
described above with respect to generating naturally occurring, truly random 
numbers. 

Yt and Yq arc transferred unencrypted to the respective GAN and terminal. 
Upon receipt of the number Yo, the terminal calculates the value of Ks=Yg''t "lod 

15 q = (^c\ mod q. Upon receipt of the number Yt, the GAN calculates the value of 
Ks=Y/o mod q=aVo mod q. The number Xt is kept secret at the terminal, the 
number Xc is kept secret at the GAN, but the value of Kj is now known at both the 
terminal and the GAN. The number Ks is therefore used by both as the 
communications session encryption key. An unauthorized user would not know 

20 either Xt or Xq and would have to compute the key Kg from Yt and Yq, which is 
a prohibitive computational process. A significant security advantage of using the 
exponential key exchange algorithm is that the GAN is not required to maintain 
secret private key data on a permanent basis. 

In summary, when a communications session is first initiated between a GAN 

25 and a terminal, the terminal receives an asymmetric public key that has been 
continuously broadcast by the GAN, retrieved from the terminal's internal memory, 
or requested from the GAN. The GAN maintains a private key that can be used to 
decrypt information encrypted with the public key. The terminal generates and 
stores a namrally occurring random number as a secret session (symmetric) key, 

30 encrypts the symmetric session key with the public key, and transmits the encrypted 
session key to the GAN. The GAN decrypts the session key with the private key. 
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and both the GAN and terminal encrypt the ensuing communications with the secret 
session key. A primary technical advantage of transferring a public key from a 
GAN to a terminal at the onset of communications is that the GAN is not required 
to know the identity of the terminal in order to have encrypted communications with 
the terminal. However, a problem can arise if an unauthorized user attempts to 
impersonate a GAN and transmits a public key to the terminal. In that event, as 
described below, the terminal can be configured to authenticate the received public 
key and the identity of the GAN. 

For example, when a public key is to be tiansfeired from a GAN to a 
terminal, the key can be transferred with a public key "certificate". This certificate 
provides proof that the associated public key and the owner of that key are authentic. 
A -trusted" third party can issue the public key along with the certificate, which 
includes a "digital signaUire" that authenticates the third party's identity and the 
public key. The certificate can also contain the GAN's identity and the expiration 
date of the certificate, if any. 

In one aspect of the invention, the GAN transmits the certificate and public 
key to the terminal. In that case, the public key of the third party is pre-stored (a 
priori) at the subscribing terminals. 

FIGURE 5 is a block diagram of a method that can be used to certify the 
authenticity of a public key and the owner of the key with a digital signature, in 
accordance with the present invention. The method (300) of digitally signing a 
public key certificate and verifying its authenticity begins at step 302. At step 302, 
a "certificate" containing unencrypted information about the owner of the public key 
to be transferred to a terminal is prepared by a trusted third party. The unencrypted 
information also includes the public key and the expiration date of the certificate. 
At step 304, the resulting "unsigned" cenificate is processed with an irreversible 
algorithm (e.g., a hashing algorithm) to produce a message digest at step 306. which 
is a digested or shortened version of the information included on the certificate. At 
step 308. the digest information is encrypted with a private key of a different 
public/private key pair. Preferably, an RSA algorithm similar to equations 1 and 
2 above is used to derive this key pair. At step 310. a digitally signed public key 



wo 98/10561 PCT/SE97/01407 



-17- 

certificate is thereby produced that contains the originally unencrypted information 
(including the public key to be used for the communications session) and the digest 
information, which is now encrypted with the certificate issuer's private key. The 
digitally signed public key certificate is then transferred to the terminal that has 

5 initiated contact with the GAN. 

At step 312, upon receiving the digitally signed certificate, the terminal's 
processor analyzes the unencrypted and encrypted portions of the document. At step 
314, the unencrypted information is processed using an algorithm identical to the 
hashing algorithm used at step 304. At step 316. a second digested version of the 

10 unencrypted information is produced at the terminal. At step 318, the terminal's 
processor retrieves the pre-stored certificate issuer's public key from memory, and 
using an RSA algorithm, decrypts the encrypted digest information from the 
certificate. Another version of the unencrypted digested information is thereby 
produced at step 320. At step 322, the terminal compares the two versions of the 

15 unencrypted digested information, and if the compared information is identical, the 
certificate's signature and the session public key are assumed to be authentic. That 
certified public key can now be used by the terminal to encrypt the secret session 
key. 

Although a preferred embodiment of the method and apparatus of the present 
20 invention has been illustrated in the accompanying Drawings and described in the 
foregoing Detailed Description, it will be understood that the invention is not limited 
to the embodiments disclosed, but is capable of numerous rearrangements, 
modifications and substitutions without departing from the spirit of the invention as 
set forth and defined by the following claims. 
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WHAT IS CLAIMED IS: 

1 A method for encrypting conununications traffic between a mobile 
communications network and a communications terminal, comprising the steps of: 
storing a public key and a first identifier associated with said mobile 
communications network at said communications terminal; 

comparing said first identifier stored at said communications tenninal with 
a second identifier received from said mobile communications network and 
producing a first predetermined result; 

generating a secret key at said communications terminal; 
enciypting said secret key with said stored public key at said communications 
terminal; and 

transmitting said encrypted secret key from said communications terminal. 

2. The method according to Claim 1. further comprising the steps of: 
receiving said encrypted secret key at said mobile communications network; 
decrypting said received encrypted secret key with a private key. said private 
key associated with said public key; and 

encrypting said communications traffic with said secret key. 

^° ^- '^^^ '"^^hod according to Claim 1, wherein the step of storing a 

public key comprises the step of a priori pre-storing the public key. 

4. The method according to Claim 1. further comprising the step of 
transmitting said public key from said mobile communications network upon 
receiving a public key request from said communications terminal. 

5. The method according to Claim 4. wherein the step of transmitting 
said public key further comprises the step of transmitting information to authemicate 
said public key. 



15 
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6. The method according to Claim 4, further comprising the step of 
transmitting said request from said communications terminal upon said comparing 
step producing a second predetermined result. 

5 7. The method according to Claim 1 , wherein the steps of receiving and 

decrypting said encrypted secret key are performed at a radio base station in said 
mobile communications network. 

8. The method according to Claim 1, wherein the step of decrypting said 
10 received encrypted secret key is performed at a radio network controller in said 

mobile communications network, 

9. The method according to Claim 1, wherein said mobile 
conununications network comprises a generic communications network. 

15 

10. The method according to Claim 1, wherein said communications 
terminal comprises a mobile terminal. 

11. The method according to Claim 1, wherein said communications 
20 terminal comprises a fixed terminal. 

12. The method according to Claim 1, wherein said communications 
terminal comprises an unidentified communications terminal. 

25 13. The method according to Claim 1, wherein said mobile 

communications network comprises a cellular phone network. 

14. The method according to Claim 1, further comprising the steps of: 
connecting a plurality of service networks to said mobile conununications 
30 network, a user of said communications terminal being a subscriber to at least one 
of said plurality of service networks; and 
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providing a communications path between said communications terminal and 
said at least one of said plurality of service networks. 

15. The method according to Claim 1 . wherein said private key and said 
5 public key are associated by an RSA Algorithm. 

16. The method according to Claim 1 . wherein said secret key comprises 
a symmetric encryption key. 



10 



30 



17. The method according to Claim 1 , wherein the step of generating a 
secret key comprises the step of generating a naturally occurring random number. 



18. The method according to Claim 1, wherein the step of generating a 
secret key comprises the steps of: 

1 5 detecting a received signal in digital form at said communications terminal; 

and 

extracting at least one low order bit from said detected received signal. 

19. The method according to Claim 1 , wherein the step of generating a 
20 secret key comprises the steps of: 

detecting a signal at an output of a microphone A/D convener; and 
extracting at least one low order bit from said detected output signal. 

20. The method according to Claim 1 , wherein the step of generating a 
25 secret key comprises the steps of: 

detecting a signal at an output of a speech codec; and 

extracting at least one low order bit from said detected output signal. 



21. The method according to Claim 1 , wherein the step of generating 
secret key comprises the steps of: 
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generating a seed for a pseudorandom number; and 
generating a pseudorandom number from said seed. 



22. The method according to Claim 1, wherein a length of said secret key 
5 is predetermined at said conmiunications terminal. 

23. The method according to Claim 1, wherein said secret key further 
comprises a plurality of concatenated numbers. 

10 24. The method according to Claim 1, wherein the step of storing said 

public key and said first identifier further comprises storing an expiration date 
associated with said public key. 

25. The method according to Claim 24, wherein said conmiunications 
1 5 terminal transmits a public key request to said mobile communications network if 

said public key has expired, 

26. The method according to Claim 1, further comprising the steps of: 
changing said public key at said mobile communications network; and 

20 storing said changed public key at said communications terminal. 

27. The method according to Claim 26, wherein the step of changing said 
public key further comprises the step of broadcasting said changed public key from 
said mobile conmiunications network for a predetermined period of time. 

25 

28. A method for encrypting traffic between a generic 
communications network and a first communications terminal, comprising the steps 
of: 

broadcasting a public key from said generic communications network to a 
30 plurality of communications terminals, said plurality of communications terminals 
including said first communications terminal; 
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generadng a secret key at said first communications terminal; 

encrypting said secret key with said public key at said first communications 

terminal; 

transmitting said encrypted secret key from said first communications 
terminal; 

receiving said enco'pted secret key at said generic communications network; 
decrypting said received encrypted secret key with a private key. said private 
key associated with said public key; and 

encrypting said traffic with said secret key. 

29. The method according to Claim 28, wherein the broadcasting step 
further comprises the steps of : 

transferring said public key from a radio network controller to at least one 
base station in said generic communications network; and 

transmitting said public key from said at least one base station. 

30. The method according to Claim 28. wherein said broadcasting step 
comprises the step of transmitting said public key from a plurality of base stations 
in said generic communications network. 

31. The method according to Claim 28, wherein said first 
communications terminal comprises an unidentified communications terminal. 

32. The method according to Claim 28, wherein the step of broadcasting 
said public key further comprises the step of broadcasting information to authenticate 
said public key. 

33. The method according to Claim 28. wherein the step of broadcasting 
said public key further comprises the step of transmitting, on request, information 

to authenticate said public key. 
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34. A method for encrypting communications traffic between a mobile 
communications network and a communications terminal, comprising the steps of: 

storing two numbers associated with a Diffie-Hellman exponential key 
exchange algorithm and a first identifier associated with said mobile communications 
5 network at said communications terminal; 

comparing said first identifier stored at said communications terminal with 
a second identifier received from said mobile communications network and 
producing a first predetermined result; 

generating a first random number at said communications terminal; 
1 0 generating a second random number at said mobile communications network; 

and 

using said first and secoixl random numbers as inputs to said Diffie-Hellman 
exponential key exchange algorithm, generating a third number to be used as a 
secret key by said communications terminal and said mobile communications 
15 network. 

35. The method according to Claim 34, wherein the step of storing two 
numbers comprises the step of a priori pre-storing said two numbers. 

20 36. The method according to Claim 34, further comprising the step of 

transmitting said two numbers from said mobile communications network upon 
receiving a request for said two numbers from said communications terminal. 

37. The method according to Claim 36, further comprising the step of 
25 transmitting said request from said conmiunications terminal upon said comparing 

step producing a second predetermined result. 

38. The method according to Claim 34, wherein the step of storing said 
two numbers and said first identifier further comprises storing an expiration date 

30 associated with said two numbers. 
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39. The method according to Claim 38, wherein said communications 
terminal transmits a request for two new numbers associated with said Diffie- 
Hellman exponential key exchange algorithm if said two numbers has expired. 

5 40. The method according to Claim 34, further comprising the steps of: 

changing said two numbers associated with a Diffie-Hellman exponential key 
exchange algorithm at said mobile communications network; and 
storing said changed two numbers at said communications terminal. 

^ 0 41. The method according to Claim 40, wherein the step of changing said 

two numbers further comprises the step of broadcasting said changed two numbers 
from said mobile communications network for a predetermined period of time. 

42. A method for encrypting traffic between a generic conmiunications 
15 network and a first communications terminal, comprising the steps of: 

broadcasting two numbers associated with an exponential key exchange 
algorithm from said generic communications network to a plurality of 
communications terminals, said plurality of communications terminals including said 
first conununications terminal; 
20 generating a first random number at said first conmiunications terminal; 

generating a second random number at said generic communications network; 

using said first and second random numbers as inputs to said exponential key 
exchange algorithm, generating a third number to be used as a secret key by said 
first communications terminal and said generic communications network: 
25 and encrypting said traffic with said secret key. 

43. A system for use in encrypting traffic between a generic 
communications network and a communications terminal, comprising: 

an access network included in said generic communications network; and 
30 access network means coupled to said communications terminal and 

associated with said access network, for storing a public encryption key associated 
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with said generic communications network, generating a secret key, encrypting said 
secret key with said stored public encryption key, and transmitting said encrypted 
secret key to said generic communications network. 

5 44. A system for use in encrypting traffic between a generic 

communications network and a communications terminal, comprising: 

first network means for storing a private encryption key, distributing a public 
encryption key, and decrypting an encrypted secret session key; 

second network means connected to said first network means, for 
10 broadcasting said distributed public encryption key, said first and second network 
means associated with an access network of said generic communications network; 
and 

access network means coupled to said communications terminal and 
associated with said access network of said generic conununications network, for 
15 receiving said broadcast public encryption key, generating a secret key, encrypting 
said secret key with said received public encryption key, and transmitting said 
encrypted secret key to said generic communications network. 
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